1 - 2 - 3 - 6 - 7 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W
authentication
Click on the red underlined text to get to the source
... [RADIUS] defines an application-layer authentication and integrity
scheme that is required only for use with Response packets. While
[RADEXT ...
... scheme that is required only for use with Response packets. While
[RADEXT] defines an additional authentication and integrity
mechanism, use is only required during Extensible Authentication
Protocol (EAP ...
... RADEXT] defines an additional authentication and integrity
mechanism, use is only required during Extensible Authentication
Protocol (EAP) sessions. While attribute-hiding is supported,
...
... IPsec is not required. Since within [IKE] authentication occurs
only within Phase 1 prior to the establishment of IPsec SAs ...
... Diameter protocol to support the following required features:
- Transporting of user authentication information, for the purposes
of enabling the Diameter server to authenticate the user.
...
... - Transporting of user authentication information, for the purposes
of enabling the Diameter server to authenticate the user.
- Transporting of service ...
... client generates Diameter messages to request authentication,
authorization, and accounting services for the user. A Diameter
...
... agent is a node that does not authenticate and/or authorize messages
locally; agents include proxies ...
... relay agents. A
Diameter server performs authentication and/or authorization of the
user. A Diameter node ...
... NASREQ documents describe applications that use this base
specification for Authentication, Authorization and Accounting.
...
... - Creating new AVPs
- Creating new authentication/authorization applications
- Creating new accounting ...
... - Creating new accounting applications
- Application authentication procedures
Reuse of existing AVP values ...
... Creating New Authentication Applications ...
... round trips to complete).
- Adding support for an authentication method requiring definition
of new AVPs for use with the application. Since a new EAP
authentication ...
... authentication method requiring definition
of new AVPs for use with the application. Since a new EAP
authentication method can be supported within Diameter without
...
... EAP methods does not require the
creation of a new authentication application.
Creation of a new application should be viewed as a last resort. An
...
... the Diameter Accounting messages (see Section 9.3). However, just
because a new authentication application id is required, does not
imply that a new accounting application id is required.
...
... bit is set when the same AVP is used within other Diameter
commands (i.e., authentication/authorization commands).
...
... Application Authentication Procedures ...
...
When possible, applications SHOULD be designed such that new
authentication methods MAY be added without requiring changes to the
application. This MAY require that new AVP values be assigned to
...
... application. This MAY require that new AVP values be assigned to
represent the new authentication transform, or any other scheme that
produces similar results. When possible, authentication frameworks ...
... represent the new authentication transform, or any other scheme that
produces similar results. When possible, authentication frameworks,
such as Extensible Authentication Protocol ...
... authentication frameworks,
such as Extensible Authentication Protocol [EAP], SHOULD be used.
...
... encapsulate protocol-specific data (e.g., routing
information) as well as authentication, authorization or
accounting ...
... Diameter Server
A Diameter Server is one that handles authentication,
authorization and accounting requests ...
... identity and realm. The
identity is used to identify the user during authentication and/or
authorization, while the realm is used for message routing ...
... Diameter protocol may be used by itself for accounting
applications, but for use in authentication and authorization it is
always extended for a particular application. Two Diameter
applications ...
... Session-Id.
The initial request for authentication and/or authorization of a user
would include the Session-Id ...
...
- A complex network will have multiple authentication sources, they
can sort requests and forward towards the correct target.
...
... Diameter Server. HMS identifies that the request
can be locally supported (via the realm), processes the
authentication and/or authorization request, and replies with an
answer, which is routed back to NAS ...
... NASes, they do not allow access devices to use end-to-
end security, since modifying messages breaks authentication.
Proxies ...
... End-to-end security services include confidentiality and message
origin authentication. These services are provided by supporting AVP
...
... IPsec). Therefore,
each connection is authenticated, replay and integrity protected and
confidential on a per-packet ...
... Application-ID is four octets and is used to identify to which
application the message is applicable for. The application can be
an authentication application, an accounting application or a
vendor ...
... discovered peers are authorized to act in its role.
Authentication via IKE or TLS, or validation ...
... destination of the request is fixed, which includes:
- Authentication requests that span multiple round trips
...
... AVP Code 258) is of type Unsigned32 and
is used in order to advertise support of the Authentication and
Authorization portion of an application (see Section 2.4). The
...
... Authorization portion of an application (see Section 2.4). The
Auth-Application-Id MUST also be present in all Authentication and/or
Authorization messages that are defined in a separate Diameter ...
... message
routing error). Application errors, on the other hand, generally
occur due to a problem with a function specified in a Diameter
application (e.g., user authentication, Missing AVP).
...
... This informational error is returned by a Diameter server to
inform the access device that the authentication mechanism being
used requires multiple round trips, and a subsequent request needs
...
...
DIAMETER_AUTHENTICATION_REJECTED 4001
The authentication process for the user failed, most likely due to
...
... DIAMETER_AUTHENTICATION_REJECTED 4001
The authentication process for the user failed, most likely due to
an invalid password used by the user ...
... Diameter can provide two different types of services to applications.
The first involves authentication and authorization, and can
optionally make use of accounting ...
...
When a service makes use of the authentication and/or authorization
portion of an application, and a user requests access to the network ...
... sessions, and which MUST be observed by
all Diameter implementations that make use of the authentication
and/or authorization portion of a Diameter application ...
... STR message
to be sent, if the given application has both
authentication/authorization and accounting portions.
...
... session service, to request that the
user be re-authenticated and/or re-authorized.
Message Format ...
... RAA message MUST be followed by an application-specific
authentication and/or authorization message.
...
... bit set, is sent by the access
device to inform the Diameter Server that an authenticated and/or
authorized session is being terminated.
...
... included in application-specific auth requests to inform the peers
whether a user is to be authenticated only, authorized only or both.
Note any value other than both MAY cause RADIUS interoperability ...
... issues. The following values are defined:
AUTHENTICATE_ONLY 1
The request being sent is for authentication only, and MUST
...
... AUTHENTICATE_ONLY 1
The request being sent is for authentication only, and MUST
contain the relevant application specific authentication AVPs ...
... The request being sent is for authentication only, and MUST
contain the relevant application specific authentication AVPs that
are needed by the Diameter server to authenticate ...
... authentication AVPs that
are needed by the Diameter server to authenticate the user.
AUTHORIZE_ONLY 2
...
... service being requested/offered.
AUTHORIZE_AUTHENTICATE 3
The request contains a request for both authentication and
...
... AUTHORIZE_AUTHENTICATE 3
The request contains a request for both authentication and
authorization. The request MUST include both the relevant
...
... authorization. The request MUST include both the relevant
application specific authentication information, and authorization
information necessary to identify the service being
...
... to uniquely identify a user session without reference to any other
information, and may be needed to correlate historical authentication
information with accounting information. The Session-Id includes a
...
... and contains the maximum number of seconds of service to be provided
to the user before the user is to be re-authenticated and/or re-
authorized. Great care should be taken when the Authorization-
...
...
A value of zero (0) means that immediate re-auth is necessary by the
access device. This is typically used in cases where multiple
authentication methods are used, and a successful auth response with
this AVP ...
... this AVP set to zero is used to signal that the next authentication
method is to be immediately initiated. The absence of this AVP, or a
value of all ones (meaning all bits ...
... AUTHORIZE_AUTHENTICATE 1
An authentication and authorization re-auth is expected upon
expiration of the Authorization-Lifetime ...
... This AVP contains the maximum number of seconds that the access
device MUST provide the user in responding to an authentication
request.
...
...
A Diameter node that receives a successful authentication and/or
authorization messages from the Home AAA server ...
... agents is required, end-to-
end security may be used for authentication purposes.
Different types of accounting ...
... production of these records is directed by Acct-Interim-Interval as
well as any re-authentication or re-authorization of the session. The
...
... session. Interim
Accounting Records SHOULD be sent every time a re-authentication
or re-authorization occurs. Further, additional interim record
...
... Diameter is not intended as a general purpose protocol, and
allocations SHOULD NOT be made for purposes unrelated to
authentication, authorization or accounting.
...
... transport mode with non-null encryption and authentication algorithms
to provide per-packet authentication ...
... authentication algorithms
to provide per-packet authentication, integrity protection and
confidentiality ...
... Diameter implementations MUST support IKE for peer authentication,
negotiation of security associations ...
... IPSECDOI]. Diameter implementations MUST support peer
authentication using a pre-shared key, and MAY support certificate-
...
... pre-shared key, and MAY support certificate-
based peer authentication using digital signatures. Peer
authentication ...
... authentication using digital signatures. Peer
authentication using the public key encryption methods outlined in
...
... IKE Main Mode and
Aggressive Mode. When pre-shared keys are used for authentication,
IKE Aggressive Mode SHOULD be used, and IKE ...
... IKE Main Mode SHOULD NOT be
used. When digital signatures are used for authentication, either
IKE Main Mode or IKE ...
...
When digital signatures are used to achieve authentication, an IKE
negotiator SHOULD use IKE ...
... implementing TLS for security MUST mutually authenticate as part of
TLS session establishment. In order to ensure mutual authentication ...
... authenticate as part of
TLS session establishment. In order to ensure mutual authentication,
the Diameter node acting as TLS ...
... Diameter peer will typically not be configured to allow connectivity
with any arbitrary peer. When certificate authentication Diameter
peers may not be known beforehand, and therefore peer discovery may
...
... security mechanism.
When pre-shared key authentication is used with IPsec to protect
Diameter ...
... Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284(-> 3748prop), March 1998. ...
... Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 3576, July 2003. ...
... Glass, S., Hiller, T., Jacobs, S. and C. Perkins, "Mobile IP Authentication, Authorization, and Accounting Requirements", RFC 2977 ...
... Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865draft, June 2000. ...
... confidentiality as well as
perform end-point authentication. It would thus be difficult if
not impossible for an attacker to advertise itself using SLPv2 ...
... network operation it is important to use SLPv2
authentication to prevent an attacker from modifying or
eliminating service advertisements ...